I'm a managing editor at Forbes, overseeing our technology coverage online and in print. I started as a reporter here in 1995 and worked as Midwest bureau chief before returning to NYC as a tech/healthcare editor. Spent the last three years overseeing both wealth and technology coverage. Now it's all tech, all the time. Follow me on Twitter or Facebook or Google+.

Tokenization And The Collapse Of The Credit Card Payment Model

Written by Matt Harris, a managing director at Bain Capital Ventures in New York. Matt, who specializes in financial services startups, has invested in Dwolla and Billtrust. Bain is not an investor in Braintree, Stripe or Square.

It’s been a fascinating couple of weeks in the token world. We have Monopoly’s decision to replace the iron with a cat, based on a poll launched on their Facebook page. Feels like selection bias to me; is anyone surprised that the population of people who are fans of board games on Facebook also like cats?

More germane to my obsession with payments was the announcement that Braintree re-launched Venmo as a cardholder side multi-merchant tokenization system. I realize that’s a mouthful, but here’s what it means:

Braintree provides payment acceptance to many (most?) of the most popular online and mobile merchants, like Uber, Fab, HotelTonight, LevelUp, etc.

Because all of these merchants have huge mobile traffic, they encourage users to “vault” (ie, store) their credit card information with them, so when they return they can check out with one click (or in the case of Uber, no clicks.) In actuality, all of these payment card details are vaulted at Braintree.

Braintree has convinced at least some of these merchants to contribute their users, on an opt-in basis, to a consortium, such that if I am an Uber customer, and I show up to HotelTonight for the first time, Braintree recognizes me and asks me if I want to use the credentials I’ve already stored with Uber to check out with HotelTonight.

Braintree has 35 million credit cards vaulte– maybe 20% of the adult US population, and probably 100% of the early and mid adopters in this country.

The reason the security on this works is the data on the device you are using. Because they fingerprint your phone (or PC), and require a password, they have the classic “something you have” and “something you know” security formulation nailed. In the mobile use case, they also have fraud sensitive data like location; if anything I think this will be a more secure transaction than a typical e-commerce situation (more on that later.)

In the real world, the concept of a token generally refers to the act of substituting something simple and convenient for something more cumbersome or complicated. Think of the utility of a subway token in preference to cash, or (as in Monopoly), how much easier it is to move a game piece around a board than your physical self. In the payments world, tokens have traditionally been used to enhance information security. Tokenization* is a system where you substitute a proxy set of identifying information for the real payment card data, so that merchants don’t have to handle this sensitive and regulated data and it isn’t exposed more than necessary. This original logic for tokenization (keeping merchants free from hosting payments data) has been taken to the next level by Braintree … the same idea is now being used to make the payment experience quicker and easier, through their consortium model (“if you’ve paid anywhere else, you can pay here, too.)

The important irony here, which is also true of Square’s tokenization strategy (Square Wallet, where the Wallet serves as a “token” to mask the underlying payment card credentials), is that the tokens being used are actually more authentic than the underlying “real” identity. Historically and generally, tokens are nonsense strings of characters, designed to abstract away from and hide the true goodies, your credit card number. But consider the token that Braintree is using: the fingerprint of your device plus your location plus a password. And Square? It uses a picture of your face. What’s more real, a 16-digit number or a picture of your face? Remember, the purpose of the payments query that a merchant initiates when you try to pay for something, whether on-line or in-store, is authentication, i.e., are you actually you? This gets done through the inherently flawed mechanism of merely checking the validity of the card that has been presented (or typed in). What Braintree and Square have done is create self-authenticating tokens in a natively multi-merchant construct, and that is a frigging big deal.

The current retail payments industry rests on what is called the four party payment model. The four parties in question are: 1) cardholder, 2) cardholder’s bank, 3) merchant and 4) merchant’s processor/bank, also known as the merchant acquirer. When the cardholder swipes their card at a merchant, the card and transaction data flow through the merchant acquirer to the cardholder’s bank, which confirms that the cardholder is authorized to make the transaction. This structure was invented and is perpetuated by Visa and Mastercard, which serve as the information switches between the four parties.

I think it’s more than a coincidence that Visa was founded shortly after the interstate highway system. Before Visa, non-cash transactions were done using store credit. Because most merchants knew most of their customers before the 1950s, they didn’t need elaborate authentication schemes. After the 1950s, Americans grew far more mobile, and store credit became less practical; hence Visa and Mastercard emerged, to enable transactions between strangers. If you’ve ever used Square Wallet, you’ll know what I’m talking about here: it feels like the 1940s. When your face pops up on the retailer’s point of sales system, and the clerk calls you by name, you are no longer a stranger. I’ve yet to have the pleasure, but I’m certain that when I show up on OpenTable and am greeted by name and asked if I want to check out with my Uber credentials, I will also feel warmly recognized.

This is horribly threatening for all of the incumbent players in the four party model: traditional acquirers, issuer and the networks. Plain vanilla merchant acquirers will struggle to compete with Braintree online and Square offline as their tokenized user bases grow (NB: Square is actually well behind Braintree on this front and we’ll see how they do; IRL is harder than online.) The issuers lose their ability to differentiate. Once tokenized and hidden, any given card product is far more vulnerable to being displaced, as the issuers have already learned from PayPal. How do you stay “top of wallet” when there is no real wallet? As for the networks, their demise is harder to articulate. Visa and Mastercard are fortresses, growing 20% per year like clockwork, despite the law of large numbers. I will leave it at this: in a world where everyone is known, there is no need for an omniscient middleman. That feels like a scary fact for the networks.

* I’m sure there is a specific definition of tokenization that I’m getting wrong.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

While I agree with your premise – the fact of the matter is both Visa & MasterCard are still getting their cut on the backend from the consumer’s card funding the ‘token’/wallet/card-on-file, etc… Square and Braintree are great examples of ‘disruptors’ in the payments vertical. In essence, they both are built upon a focus of streamlining the process of obtaining and processing Cards in a far quicker way then what merchants have to go thru with the ‘legacy processors/acquirer’ – while also targeting the value add experience of the consumers who are using the mobile phone as a payment form factor.

Taking it one step further – look at what “Dwolla” is doing – completely taking the card schemes out of the transaction between the merchant and consumer. Replacing with a real time bank transfer solution which is far lower in cost to the merchants. The key here is distribution and reaching a critical mass for consumers familiar with this method. Either way – the banks maintain their ‘stickiness’ factor to the consumer’s DDA thru Dwolla – or – takes a cut from interchange in the Visa/MasterCard model.

All these companies are still using the same credit/debit card networks but adding yet another layer into the value chain in the form of an e-commerce Username/Password credential. Paypal did this 15 years ago. Credit cards were never designed, from a risk perspective, to work on the Internet and these companies are filling that with a UN/PW credential…its not tokenization in an encryption sense.

Dwolla is not doing actual real-time bank-to-bank transfers. They use ACH, which is a batch process that takes 2-3 days to settle. There are ways to make seem like it is real-time, but it is not without risk.

The disruptors you cite, do not bypass the brands at all. They merely offer a level of indirection between the cardholder and the payment networks. The duopoly and the payment networks continue to levy their fees.

Also, there is nothing really technologically earth shattering about tokenization. I am not sure what “Once tokenized and hidden, any given card product is far more vulnerable to being displaced, as the issuers have already learned from PayPal” means.

If (and when) Square and Braintree convince consumers to attach a checking account instead of a credit card to the token, the duopoly of the payment networks will start to topple. It’s cheaper for consumers to go with debit solution. PayPal does a really good job encouraging consumers to use their checking account to fund and retrieve from PayPal, but it doesn’t pass along the savings in fees. That makes paypal vulnerable to a competitor willing to come in with slightly lower fee structure.

Agree on most, but let’s be honest, people don’t use credit cards rather than checking account debit cards because of convenience and most will never transition to debit transactions because they are cheaper. It’s always been cheaper to pay with money you already have rather than credit, but the the fact remains, people spend beyond their means and live a paycheck (at least one) behind. In order for this habit to change the public school system needs to recognize the need for financial education and start focusing on it at a young age and continue it through graduation. It may take 20 years to start seeing dividends but it would be worth the wait.

Since 2009, debit card volumes in the US have been greater than credit card volumes. In particular, people under 30 dramatically prefer debit cards … perhaps they are not being offered credit, post credit crisis and CARD Act, but I think people are actually leery of revolving credit at this point.